Is Your Telemedicine Company HIPAA Compliant?

May 22, 2017

UPDATE: According to a news release, the lawsuit filed against MDLive, Inc. was voluntarily dropped by the law firm that originally filed it. MDLive has since published a fact sheet responding to the allegations.

A lawsuit seeking class action status recently filed against Telehealth provider MDLive, Inc. underscores the need for all healthcare companies using new technologies to be mindful of how they collect, use and disclose a patient’s personal information.

The lawsuit, which was filed in U.S. District Court for the Southern District of Florida by Utah resident Joan Richards, alleges that MDLive, Inc. “covertly transmits” consumer’s personal and sensitive health information to a third party without notifying patients, and fails to restrict access to that information to only those with a legitimate need to view it – i.e. doctors and other medical providers.

To use MDLive’s services, patients must download an app and create an account. Patients must enter information including their health condition, allergies, behavioral health history, recent medical procedures and family medical history.

“Unbeknownst to patients, MDLive designed the app to capture the contents of patients’ screens by continually taking screenshots for the first 15 minutes patients use the app,” which the suit alleges is then transmitted to TestFairy, an Israel-based tech company that uses the information to test user interaction and check for bugs. The suit alleges that during the 15 minutes an average of 60 screen shots are taken and transmitted to third parties.

TestFairy is not a healthcare provider and patients are not made aware that their medical information is being transmitted in real time. In addition, the suit alleges that MDLive also allows its own developers and designers “unfettered access” to patients’ medical information.

The suit alleges, among other things, breach of contract in that MDLive failed to maintain the privacy and confidentiality of those using its service and who were required to enter into a contract with the company to receive remote healthcare services. It also alleges that by secretly capturing and transmitting a patient’s medical history, the company knowingly intruded upon the seclusion of Richards and other proposed class members – in other words invaded their privacy. The suit also alleges fraud, unjust enrichment, as well as violation of the Utah Truth in Advertising Law and the Utah Consumer Sales Practices Act.

MDLive’s website identifies the company as using an “industry-leading HIPAA and PHI-compliant, cloud-based platform.” The company, which was founded in 2009, is based in Sunrise, Florida. For $49 or less per visit, patients can download the app and have a virtual consult to diagnose non-emergency medical issues through secure video on their computer or smartphone, according to the company’s website.

MDLive posted a statement on its website denying the allegations and stating it is seeking dismissal of the lawsuit.

As telemedicine and other healthcare driven technology continues to evolve, it’s imperative that providers take appropriate steps to protect patient privacy. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.